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A. CONTACT INFORMATION: 


Departmental Privacy Office 

Office of the Chief Information Officer 
U.S. Department of the Interior 
202-208-1605 

DOI Privacy@ios.doi.gov 


. SYSTEM APPLICATION/IGENERAL INFORMATION: 


1) Does this system contain any information about individuals {this question is applicable to the 
system and any minor applications covered under this system}? 


Facebook is a Software as a Service (SaaS) application that provides social networking 
services to millions of users world-wide. Individual user information is present within the 
Facebook application; however, DOI will not capture any such information. Although DOI 
does not collect, maintain or disseminate PII from users of Facebook, there may be instances 
where PII becomes available. For instance, if a member of the public requests information or 
submits feedback, their username or contact information may become available to DOI. Also, 
if there is evidence of criminal activity or a threat to the government, such information may be 
turned over to the appropriate authorities for further action. 


Is this information identifiable to the individual*{this question is applicable to the system 
and any minor applications covered under this system}? (If there is NO information collected, 
maintained, or used that is identifiable to the individual in the system, Sections D through G 
can be marked not applicable. If YES complete all sections for system and any applicable 
minor applications). 


Yes, information provided or posted by Facebook users is identifiable to individuals. 
Is the information about individual members of the public {this question is applicable to 


the system and any minor applications covered under this system}? (If YES, a PIA must be 
submitted with the OMB Exhibit 300, and with the IT Security C&A documentation). 





* “Identifiable Form” - According to the OMB Memo M-03-22, this means information in an IT system or 
online collection: (i) that directly identifies an individual (e.g., name, address, social security number or 
other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency 
intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. 
(These data elements may include a combination of gender, race, birth date, geographic indicator, and 
other descriptors). 
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Yes, information in Facebook is provided or posted by individual members of the public. 


c. Is the information about employees {this question is applicable to the system and any 
minor applications covered under this system}? (If yes and there is no information about 
members of the public, the PIA is required for the DOI IT Security C&A process, but is not 
required to be submitted with the OMB Exhibit 300 documentation). 


DOI employees may use Facebook in an unofficial capacity and have personal accounts that 
contain information about themselves. Official DOI accounts may also contain information 
about the Departmental programs and employees acting in their official capacity. 


2) What is the purpose of the system/application? 


Facebook is a U.S. owned web-based application that provides a free social networking 
service which is used by millions of users world-wide. Facebook users can create personal 
profiles, exchange messages with other users, join groups of similar interests, share photos 
and videos, and create events. User profiles may include photos, videos, lists of interests, 
and contact information, including personal information. Facebook users can communicate 
with each other and with groups through public and private messages and chat features. 
Users can set their own privacy settings and control who sees their information and what 
information is shared. However, the Department of the Interior has no control over content in 
Facebook, including personal information posted by users. 


The Department of the Interior established an official presence on Facebook to disseminate 
information to the public and enhance communication, to foster and share ideas, facilitate 
feedback on Department programs, promote public participation and collaboration, and 
increase government transparency. The primary account holder is the Department of the 
Interior Office of Communications, who will be responsible for ensuring information posted on 
the Department’s official Facebook page is appropriate and approved for public 
dissemination. 


3) What legal authority authorizes the purchase or development of this system/application? 


Presidential Memorandum on Transparency and Open Government, January 21, 2009; OMB 
M-10-06, Open Government Directive, Dec. 8, 2009; OMB M-10-23, Guidance for Agency 
Use of Third-Party Websites and Applications; the Paperwork Reduction Act, 44 U.S.C. 3501; 
the Clinger-Cohen Act of 1996, 40 USC 1401; OMB Circular A-130; 110 Departmental 
Manual 18, 110 Departmental Manual 5. 


. DATA IN THE SYSTEM: 


1) What categories of individuals are covered in the system? 


Facebook users include members of the general public and Federal employees; however, DOI 
does not collect, maintain, or disseminate PII from Facebook. 


2) What are the sources of the information in the system? 


Sources of information available in Facebook are Facebook users world-wide, including 
members of the general public and Federal employees. 


a. Is the source of the information from the individual or is it taken from another source? 
If not directly from the individual, then what other source? 
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Sources of information are Facebook users, including members of the general public and 
Federal employees; however, DOI does not collect, maintain, or disseminate PII from 
Facebook. 


b. What Federal agencies are providing data for use in the system? 


Federal agencies may utilize Facebook to disseminate information, enhance communication 
and for public outreach; however, Facebook is not used by DOI for dissemination of PII. DOI 
does not receive PII or other information from Federal agencies through the use of Facebook. 


c. What Tribal, State and local agencies are providing data for use in the system? 


Tribal, State and local agencies may utilize Facebook to enhance communication and for 
public outreach; however, DOI does not receive PII or other information from these agencies 
through the use of Facebook. 


d. From what other third party sources will data be collected? 
None. 
e. What information will be collected from the employee and the public? 


DOI does not actively collect, maintain or disseminate PII from users of Facebook; however, 
there may be instances where PII becomes available. For instance, if a member of the public 
requests information or submits feedback from their use of Facebook, their username or 
contact information may become available to DOI. The Department does not collect or share 
PII from the use of Facebook, except in circumstances where there is evidence of criminal 
activity, a threat to the government, a threat to the public, or when an employee violates DOI 
policy and is referred for disciplinary action. This information may include username and 
content, and the appropriate law enforcement organizations will be notified. 


Facebook users are subject to Facebook’s privacy policy and terms of use, and can set their 
own privacy settings to protect their personal information. DOI does not control the content 
or privacy policy on Facebook. DOI’s Privacy Policy informs the public that they are subject 
to third party social media website privacy and security policies, and DOI also informs the 
public that they may be subject to third party privacy policies when they leave a DOI official 
website to link to third party social media web sites. 


3) Accuracy, Timeliness, and Reliability 

a. How will data collected from sources other than DOI records be verified for accuracy? 
DOI does not collect or maintain PII from use of Facebook and has no control over Facebook 
content, thus does not verify any data for accuracy. Official information posted by DOI on 
Facebook is reviewed and approved for public dissemination prior to posting. 

b. How will data be checked for completeness? 
DOI does not check data posted by Facebook users for completeness. Official mission 
related information posted on Facebook by DOI is reviewed and approved for public 


dissemination prior to posting. 


c. Is the data current? What steps or procedures are taken to ensure the data is current 
and not out-of-date? Name the document (e.g., data models). 
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DOI does not collect or maintain PII from use of Facebook and has no control over Facebook 
content, thus does not ensure the data is current. Official information posted by DOI on 
Facebook is reviewed and approved for public dissemination prior to posting. 


d. Are the data elements described in detail and documented? If yes, what is the name of 
the document? 


N/A 


D. ATTRIBUTES OF THE DATA: 


1) 


2) 


3) 


4) 


5) 


6) 


7) 


8) 


Is the use of the data both relevant and necessary to the purpose for which the system is 
being designed? 


DOI uses Facebook to disseminate information, enhance communication with the public and 
for public outreach which is relevant to the purpose of the Facebook social networking 
application. 
Will the system derive new data or create previously unavailable data about an individual 
through aggregation from the information collected, and how will this be maintained and 
filed? 
No, DOI does not collect, maintain or disseminate PII from use of Facebook. 
Will the new data be placed in the individual’s record? 


N/A — DOI does not collect, maintain or disseminate PII from use of Facebook. 


Can the system make determinations about employees/public that would not be possible 
without the new data? 


No, DOI does not collect, maintain or disseminate PII from use of Facebook. 
How will the new data be verified for relevance and accuracy? 
N/A — DOI does not collect, maintain or disseminate PII from use of Facebook. 


If the data is being consolidated, what controls are in place to protect the data from 
unauthorized access or use? 


N/A — DOI does not collect, maintain or disseminate PII from use of Facebook, so no data is 
being consolidated. 


If processes are being consolidated, are the proper controls remaining in place to protect 
the data and prevent unauthorized access? Explain. 


N/A 


How will the data be retrieved? Does a personal identifier retrieve the data? If yes, 
explain and list the identifiers that will be used to retrieve information on the individual. 


Data will not be retrieved as DOI does not actively collect, maintain or disseminate data from 
use of Facebook. However, if a member of the public requests information or submits 
feedback from their use of Facebook, their username or contact information may become 
available and used to provide additional information. Also, there may be cases where there 
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is evidence of criminal activity, a threat to the government or the public, or an employee 
violates DOI policy and is referred for disciplinary action. This information may include 
username and content, and will be turned over to the appropriate law enforcement 
organizations. 


9) What kinds of reports can be produced on individuals? What will be the use of these 
reports? Who will have access to them? 


Reports on individuals will not be generated. 


10) What opportunities do individuals have to decline to provide information (i.e., where 
providing information is voluntary) or to consent to particular uses of the information 
(other than required or authorized uses), and how individuals can grant consent.) 


Facebook users have numerous opportunities to decline to provide information, generally via 
regular system and privacy settings. However, the provision of information and user consent 
applies only to terms of use for Facebook. DOI has no control over Facebook content and 
privacy settings, and does not request or collect any PII from use of Facebook. 


E. MAINTENANCE AND ADMINISTRATIVE CONTROLS: 


1) Whatare the retention periods of data in this system? 


DOI does not collect, maintain or disseminate PII from use of Facebook. Any information 
posted on Facebook, including DOI’s official Facebook page, is subject to Facebook’s 
privacy, security and records policies, and DOI has no control over the management of such 
information. However, as part of its public outreach effort, DOI disseminates information 
through postings on Facebook regarding its mission-related activities, which may be subject 
to Federal records requirements. DOI has submitted a social media records schedule to the 
National Archives and Records Administration for approval. The social media records 
schedule is for the management of general electronic records of official information postings 
published by DOI, and includes various activities that integrate web technology, social 
interaction and user-generated content. The records disposition is temporary, and records 
are destroyed when no longer needed for agency business. However, pending NARA 
approval all records are treated as permanent. 


2) What are the procedures for disposition of the data at the end of the retention period? 
How long will the reports produced be kept? Where are the procedures documented? 


Disposition of paper records includes shredding, burning and tearing, and electronic records 
are degaussed in accordance with Office of the Secretary social media records schedule 


1408 and 384 DM1. 
3) How does the use of this technology affect public/employee privacy? 


Affect on public/employee privacy is minimal as DOI does not collect, maintain, or 
disseminate any PII from Facebook. However, DOI does disseminate information on its 
mission-related activities on Facebook. The official information posted by DOI has been 
reviewed and approved for public dissemination so any privacy risks for the unauthorized 
disclosure of personal data by the Department is mitigated. DOI does not have any control 
over personal information posted by individual Facebook users, including members of 
general public and Federal employees. 


Facebook users are subject to Facebook’s privacy policy and terms of use, and can set their 
own privacy settings to protect their personal information. DOI does not control the content 
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or privacy policy on Facebook. DOI’s Privacy Policy informs the public that they are subject 
to third party social media website privacy and security policies, and DOI also informs the 
public that they may be subject to third party privacy policies when they leave a DOI official 
website to link to third party social media web sites. 


4) Under which Privacy Act systems of records notice does the system operate? Provide 


5) 


number and name. 


DOI has developed DOI-08, Social Networks System of Records Notice, which is expected to 
be published in May 2011, for referrals for criminal activity, threats to the government or the 
public, and to enable DOI Bureaus or Offices to implement public outreach programs 
associated with third party social media applications that may contain usernames and/or 
contact information and result in the creation of a Privacy Act system of records. DOI does 
not actively collect, maintain or disseminate PII obtained from the use of Facebook. 


If the system is being modified, will the Privacy Act system of records notice require 
amendment or revision? Explain. 


N/A 


F. ACCESS TO DATA: 


1) Who will have access to the data in the system? (E.g., contractors, users, managers, 


2) 


3) 


4) 


system administrators, developers, tribes, other) 


Facebook users set their own privacy settings to allow access to their data. There could 
potentially be millions of Facebook users who have access to information posted on 
Facebook, including the general public, Federal employees, private organizations, and 
Federal, State, Tribal and local agencies. DOI has no control over user settings or content, 
and does not collect, maintain or disseminate PII from Facebook. 


How is access to the data by a user determined? Are criteria, procedures, controls, and 
responsibilities regarding access documented? 


As noted above, access to data is determined by the Facebook user when establishing their 
privacy settings. The privacy settings and policy are governed and controlled by Facebook. 
DOI has no control over access controls in Facebook. 


Will users have access to all data on the system or will the user’s access be restricted? 
Explain. 


Within Facebook, users control access to their own PII, generally via system settings. DOI 
has the same access as any other Facebook user dependent on individual user privacy 
settings. DOI has no control over user content in Facebook, except for official DOI postings. 
DOI does not collect, maintain or disseminate PII from Facebook. 


What controls are in place to prevent the misuse (e.g., unauthorized browsing) of data by 
those having access? (Please list processes and training materials) 


Within Facebook, users control access to their own PII, generally via system settings. DOI 
has the same access as any other Facebook user dependent on individual user privacy 
settings. DOI has no control over user content in Facebook, except for official DOI postings. 
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5) Are contractors involved with the design and development of the system and will they be 
involved with the maintenance of the system? If yes, were Privacy Act contract clauses 
inserted in their contracts and other regulatory measures addressed? 


Facebook is a private third party website that is independently operated. DOI does not have 
a part in the development or maintenance of Facebook. 
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